xypriss 2.2.5 → 2.3.0

package/dist/cjs/src/middleware/built-in/security/SQLInjectionDetector.js

@@ -0,0 +1,335 @@
+'use strict';
+
+class SQLInjectionDetector {
+    constructor(config = {}) {
+        // High-confidence SQL injection patterns (more specific to reduce false positives)
+        this.highRiskPatterns = [
+            // Union attacks with SELECT
+            /(\s|^)(union|UNION)(\s)+(all\s+)?(select|SELECT)/gi,
+            // SQL comments at end of input or before SQL keywords
+            /(--|#|\/\*).*?(select|union|drop|delete|insert|update|create|alter)/gi,
+            /;(\s)*--.*/gi,
+            // Enhanced boolean injections (more comprehensive)
+            /(\s|^)(or|OR)(\s)+('?\d+'?\s*=\s*'?\d+'?|'[^']*'\s*=\s*'[^']*'|true|false)/gi,
+            /(\s|^)(and|AND)(\s)+('?\d+'?\s*=\s*'?\d+'?|'[^']*'\s*=\s*'[^']*'|true|false)/gi,
+            // Quote-based boolean injections
+            /'(\s)+(or|OR|and|AND)(\s)+'/gi,
+            // Comment-obfuscated patterns
+            /\/\*.*?\*\/(or|OR|and|AND)\/\*.*?\*\//gi,
+            // Time-based with specific syntax (enhanced)
+            /(sleep|SLEEP|waitfor|WAITFOR|delay|DELAY)\s*\(.*?\)/gi,
+            /(waitfor|WAITFOR)\s+(delay|DELAY)\s+'/gi,
+            // System stored procedures
+            /(exec|EXEC|execute|EXECUTE)\s+(sp_|xp_)\w+/gi,
+            // Information schema with specific queries
+            /(information_schema|INFORMATION_SCHEMA)\.(tables|columns|schemata)/gi,
+            // Dangerous DDL operations with semicolons
+            /;(\s)*(drop|DROP|delete|DELETE|truncate|TRUNCATE)\s+(table|database)/gi,
+            // Hex encoding of common injection strings
+            /0x(27|22|5C|2D|2D)/gi, // ', ", \, --
+            // Multiple quotes for quote breaking
+            /('{3,}|"{3,})/g,
+            // Stacked queries with dangerous operations
+            /;(\s)*(drop|delete|insert|update|create|alter)(\s)+/gi,
+        ];
+        // Medium risk patterns (require context analysis)
+        this.mediumRiskPatterns = [
+            // Single SQL keywords (common in legitimate text)
+            /\b(select|union|drop|delete|insert|update|create|alter)\b/gi,
+            // Simple OR/AND conditions
+            /\b(or|and)\s+\w+\s*=\s*\w+/gi,
+            // Single quotes or double quotes
+            /'/g,
+            /"/g,
+            // Basic SQL comments
+            /(--|#)/g,
+            // Wildcards
+            /[%_]/g,
+        ];
+        // Characters that are suspicious in certain contexts
+        this.contextSensitiveChars = /[';\"\\%_]/g;
+        this.config = {
+            strictMode: config.strictMode ?? false,
+            allowedChars: config.allowedChars ?? /^[a-zA-Z0-9\s\-@.!?,()]+$/,
+            maxLength: config.maxLength ?? 1000,
+            logAttempts: config.logAttempts ?? true,
+            contextualAnalysis: config.contextualAnalysis ?? true,
+            falsePositiveThreshold: config.falsePositiveThreshold ?? 0.6,
+        };
+    }
+    /**
+     * Main detection method with improved false positive handling
+     */
+    detect(input, context) {
+        if (!input || typeof input !== "string") {
+            return {
+                isMalicious: false,
+                confidence: 0,
+                detectedPatterns: [],
+                riskLevel: "LOW",
+            };
+        }
+        const result = {
+            isMalicious: false,
+            confidence: 0,
+            detectedPatterns: [],
+            sanitizedInput: input,
+            riskLevel: "LOW",
+        };
+        // Check input length (very long inputs are suspicious)
+        if (input.length > this.config.maxLength) {
+            result.confidence += 0.2; // Reduced penalty for length
+            result.detectedPatterns.push("Excessive length");
+        }
+        // High-risk pattern analysis (strong indicators)
+        let highRiskScore = 0;
+        this.highRiskPatterns.forEach((pattern, index) => {
+            const matches = input.match(pattern);
+            if (matches) {
+                const patternName = this.getHighRiskPatternName(index);
+                result.detectedPatterns.push(`${patternName}: ${matches.join(", ")}`);
+                highRiskScore += this.getHighRiskPatternWeight(index);
+            }
+        });
+        // Medium-risk pattern analysis (context-dependent)
+        let mediumRiskScore = 0;
+        if (this.config.contextualAnalysis) {
+            mediumRiskScore = this.analyzeContext(input, context || "");
+        }
+        else {
+            // Basic medium risk analysis without context
+            this.mediumRiskPatterns.forEach((pattern, index) => {
+                const matches = input.match(pattern);
+                if (matches) {
+                    mediumRiskScore += 0.1 * matches.length; // Lower weight for medium risk
+                }
+            });
+        }
+        // Contextual analysis for legitimate use cases
+        const legitimacyScore = this.calculateLegitimacyScore(input);
+        // Calculate confidence with false positive mitigation
+        const rawScore = highRiskScore + mediumRiskScore * 0.3;
+        result.confidence = Math.max(0, rawScore - legitimacyScore);
+        result.confidence = Math.min(result.confidence, 1.0);
+        // Determine risk level and malicious status
+        if (result.confidence >= 0.8) {
+            result.riskLevel = "CRITICAL";
+            result.isMalicious = true;
+        }
+        else if (result.confidence >= this.config.falsePositiveThreshold) {
+            result.riskLevel = "HIGH";
+            result.isMalicious = true;
+        }
+        else if (result.confidence >= 0.3) {
+            result.riskLevel = "MEDIUM";
+            result.isMalicious = false; // Don't block medium risk by default
+        }
+        else {
+            result.riskLevel = "LOW";
+            result.isMalicious = false;
+        }
+        // Log only high confidence attempts
+        if (this.config.logAttempts && result.confidence >= 0.7) {
+            this.logAttempt(input, result);
+        }
+        // Provide sanitized version only for high-risk inputs
+        if (result.confidence >= 0.4) {
+            result.sanitizedInput = this.smartSanitize(input);
+        }
+        return result;
+    }
+    /**
+     * Analyze context to reduce false positives
+     */
+    analyzeContext(input, context) {
+        let score = 0;
+        // Check for legitimate business contexts
+        const businessContexts = [
+            "search",
+            "filter",
+            "name",
+            "description",
+            "comment",
+            "review",
+            "address",
+            "title",
+            "content",
+            "message",
+            "email",
+        ];
+        const isBusinessContext = businessContexts.some((ctx) => context.toLowerCase().includes(ctx));
+        this.mediumRiskPatterns.forEach((pattern, index) => {
+            const matches = input.match(pattern);
+            if (matches) {
+                let patternScore = 0.1 * matches.length;
+                // Reduce score for legitimate contexts
+                if (isBusinessContext) {
+                    patternScore *= 0.3; // Reduce by 70%
+                }
+                // Special handling for common false positives
+                if (index === 0 && isBusinessContext) {
+                    // SQL keywords in business text
+                    patternScore *= 0.1; // Very low weight for SQL keywords in business context
+                }
+                if (index === 2 || index === 3) {
+                    // Single quotes in names, descriptions
+                    if (context.includes("name") ||
+                        context.includes("description")) {
+                        patternScore *= 0.2;
+                    }
+                }
+                score += patternScore;
+            }
+        });
+        return score;
+    }
+    /**
+     * Calculate legitimacy score to offset false positives
+     */
+    calculateLegitimacyScore(input) {
+        let legitimacyScore = 0;
+        // Natural language indicators
+        const naturalWords = input.match(/\b[a-zA-Z]{3,}\b/g);
+        if (naturalWords && naturalWords.length > 2) {
+            legitimacyScore += 0.2; // Looks like natural text
+        }
+        // Check for common legitimate patterns
+        const legitimatePatterns = [
+            /^[A-Z][a-z]+\s[A-Z][a-z]+$/, // First Last name
+            /^[\w\.-]+@[\w\.-]+\.\w+$/, // Email
+            /^\d{1,5}\s\w+(\s\w+)*$/, // Address format
+            /^[A-Za-z0-9\s\-.,!?()]+$/, // Normal text with punctuation
+        ];
+        legitimatePatterns.forEach((pattern) => {
+            if (pattern.test(input)) {
+                legitimacyScore += 0.15;
+            }
+        });
+        // Length-based legitimacy (very short or very specific lengths are more suspicious)
+        if (input.length > 10 && input.length < 200) {
+            legitimacyScore += 0.1;
+        }
+        // Check for balanced quotes (legitimate text often has balanced quotes)
+        const singleQuotes = (input.match(/'/g) || []).length;
+        const doubleQuotes = (input.match(/"/g) || []).length;
+        if (singleQuotes % 2 === 0 && doubleQuotes % 2 === 0) {
+            legitimacyScore += 0.1;
+        }
+        return Math.min(legitimacyScore, 0.5); // Cap legitimacy score
+    }
+    /**
+     * Smart sanitization that preserves legitimate content
+     */
+    smartSanitize(input) {
+        if (!input)
+            return input;
+        let sanitized = input;
+        // Only remove obvious SQL injection patterns, not all SQL keywords
+        sanitized = sanitized.replace(/(--|#).*$/gm, ""); // Remove comment tails
+        sanitized = sanitized.replace(/\/\*.*?\*\//g, ""); // Remove /* */ comments
+        // Only escape quotes if they appear to be part of injection attempts
+        const suspiciousQuotes = /'(\s*(or|and|union|select)\s|;|\s*--)/gi;
+        sanitized = sanitized.replace(suspiciousQuotes, "''$1");
+        // Remove only dangerous control characters
+        sanitized = sanitized.replace(/[\x00\x1a]/g, "");
+        // Only remove semicolons if followed by SQL keywords
+        sanitized = sanitized.replace(/;(\s)*(drop|delete|insert|update|create|alter|union|select)/gi, " $2");
+        return sanitized.trim();
+    }
+    /**
+     * Validate and sanitize input, throwing error if malicious
+     */
+    validateAndSanitize(input, throwOnDetection = false) {
+        const result = this.detect(input);
+        if (result.isMalicious && throwOnDetection) {
+            throw new Error(`SQL injection attempt detected. Confidence: ${(result.confidence * 100).toFixed(1)}%. ` +
+                `Patterns: ${result.detectedPatterns.join(", ")}`);
+        }
+        return result.sanitizedInput || "";
+    }
+    /**
+     * Create parameterized query helper
+     */
+    createParameterizedQuery(query, params) {
+        // Simple parameterization helper
+        let parameterizedQuery = query;
+        const safeParams = [];
+        params.forEach((param, index) => {
+            if (typeof param === "string") {
+                const result = this.detect(param);
+                if (result.isMalicious) {
+                    throw new Error(`Parameter ${index} contains potential SQL injection`);
+                }
+                safeParams.push(result.sanitizedInput);
+            }
+            else {
+                safeParams.push(param);
+            }
+        });
+        return { query: parameterizedQuery, params: safeParams };
+    }
+    getHighRiskPatternName(index) {
+        const names = [
+            "Union-Select attack",
+            "Commented injection",
+            "Comment with semicolon",
+            "Enhanced boolean OR",
+            "Enhanced boolean AND",
+            "Quote-based boolean",
+            "Comment-obfuscated injection",
+            "Time-based delay",
+            "WAITFOR delay attack",
+            "System procedure call",
+            "Information schema query",
+            "DDL with semicolon",
+            "Hex-encoded injection",
+            "Quote sequence attack",
+            "Stacked query attack",
+        ];
+        return names[index] || `High-risk pattern ${index}`;
+    }
+    getHighRiskPatternWeight(index) {
+        // Higher weights for more definitive attack patterns
+        const weights = [
+            0.9, // Union-Select attack
+            0.8, // Commented injection
+            0.7, // Comment with semicolon
+            0.8, // Enhanced boolean OR
+            0.8, // Enhanced boolean AND
+            0.7, // Quote-based boolean
+            0.8, // Comment-obfuscated injection
+            0.9, // Time-based delay
+            0.8, // WAITFOR delay attack
+            0.8, // System procedure call
+            0.7, // Information schema query
+            0.9, // DDL with semicolon
+            0.6, // Hex-encoded injection
+            0.5, // Quote sequence attack
+            0.8, // Stacked query attack
+        ];
+        return weights[index] || 0.7;
+    }
+    logAttempt(input, result) {
+        console.warn(`SQL Injection Attempt Detected:`, {
+            timestamp: new Date().toISOString(),
+            input: input.substring(0, 100) + (input.length > 100 ? "..." : ""),
+            confidence: result.confidence,
+            patterns: result.detectedPatterns,
+        });
+    }
+    /**
+     * Update configuration
+     */
+    updateConfig(newConfig) {
+        this.config = { ...this.config, ...newConfig };
+    }
+    /**
+     * Get current configuration
+     */
+    getConfig() {
+        return { ...this.config };
+    }
+}
+
+module.exports = SQLInjectionDetector;
+//# sourceMappingURL=SQLInjectionDetector.js.map

package/dist/cjs/src/middleware/built-in/security/SQLInjectionDetector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"SQLInjectionDetector.js","sources":["../../../../../../src/middleware/built-in/security/SQLInjectionDetector.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAiBA,MAAM,oBAAoB,CAAA;AAmEtB,IAAA,WAAA,CAAY,SAA6B,EAAE,EAAA;;AA/D1B,QAAA,IAAA,CAAA,gBAAgB,GAAG;;YAEhC,oDAAoD;;YAGpD,uEAAuE;YACvE,cAAc;;YAGd,8EAA8E;YAC9E,gFAAgF;;YAGhF,+BAA+B;;YAG/B,yCAAyC;;YAGzC,uDAAuD;YACvD,yCAAyC;;YAGzC,8CAA8C;;YAG9C,sEAAsE;;YAGtE,wEAAwE;;AAGxE,YAAA,sBAAsB;;YAGtB,gBAAgB;;YAGhB,uDAAuD;SAC1D,CAAC;;AAGe,QAAA,IAAA,CAAA,kBAAkB,GAAG;;YAElC,6DAA6D;;YAG7D,8BAA8B;;YAG9B,IAAI;YACJ,IAAI;;YAGJ,SAAS;;YAGT,OAAO;SACV,CAAC;;QAGe,IAAqB,CAAA,qBAAA,GAAG,aAAa,CAAC;QAGnD,IAAI,CAAC,MAAM,GAAG;AACV,YAAA,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,KAAK;AACtC,YAAA,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,2BAA2B;AAChE,YAAA,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,IAAI;AACnC,YAAA,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,IAAI;AACvC,YAAA,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,IAAI;AACrD,YAAA,sBAAsB,EAAE,MAAM,CAAC,sBAAsB,IAAI,GAAG;SAC/D,CAAC;KACL;AAED;;AAEG;IACH,MAAM,CACF,KAAgC,EAChC,OAAgB,EAAA;QAEhB,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;YACrC,OAAO;AACH,gBAAA,WAAW,EAAE,KAAK;AAClB,gBAAA,UAAU,EAAE,CAAC;AACb,gBAAA,gBAAgB,EAAE,EAAE;AACpB,gBAAA,SAAS,EAAE,KAAK;aACnB,CAAC;SACL;AAED,QAAA,MAAM,MAAM,GAAoB;AAC5B,YAAA,WAAW,EAAE,KAAK;AAClB,YAAA,UAAU,EAAE,CAAC;AACb,YAAA,gBAAgB,EAAE,EAAE;AACpB,YAAA,cAAc,EAAE,KAAK;AACrB,YAAA,SAAS,EAAE,KAAK;SACnB,CAAC;;QAGF,IAAI,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;AACtC,YAAA,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC;AACzB,YAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;SACpD;;QAGD,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,KAAK,KAAI;YAC7C,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,OAAO,EAAE;gBACT,MAAM,WAAW,GAAG,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAC;AACvD,gBAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CACxB,GAAG,WAAW,CAAA,EAAA,EAAK,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA,CAAE,CAC1C,CAAC;AACF,gBAAA,aAAa,IAAI,IAAI,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAC;aACzD;AACL,SAAC,CAAC,CAAC;;QAGH,IAAI,eAAe,GAAG,CAAC,CAAC;AACxB,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE;YAChC,eAAe,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC;SAC/D;aAAM;;YAEH,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,KAAK,KAAI;gBAC/C,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBACrC,IAAI,OAAO,EAAE;oBACT,eAAe,IAAI,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;iBAC3C;AACL,aAAC,CAAC,CAAC;SACN;;QAGD,MAAM,eAAe,GAAG,IAAI,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAC;;AAG7D,QAAA,MAAM,QAAQ,GAAG,aAAa,GAAG,eAAe,GAAG,GAAG,CAAC;AACvD,QAAA,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,GAAG,eAAe,CAAC,CAAC;AAC5D,QAAA,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;;AAGrD,QAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AAC1B,YAAA,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC;AAC9B,YAAA,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;SAC7B;aAAM,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE;AAChE,YAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC;AAC1B,YAAA,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;SAC7B;AAAM,aAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AACjC,YAAA,MAAM,CAAC,SAAS,GAAG,QAAQ,CAAC;AAC5B,YAAA,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;SAC9B;aAAM;AACH,YAAA,MAAM,CAAC,SAAS,GAAG,KAAK,CAAC;AACzB,YAAA,MAAM,CAAC,WAAW,GAAG,KAAK,CAAC;SAC9B;;AAGD,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AACrD,YAAA,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;SAClC;;AAGD,QAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;YAC1B,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;SACrD;AAED,QAAA,OAAO,MAAM,CAAC;KACjB;AAED;;AAEG;IACK,cAAc,CAAC,KAAa,EAAE,OAAe,EAAA;QACjD,IAAI,KAAK,GAAG,CAAC,CAAC;;AAGd,QAAA,MAAM,gBAAgB,GAAG;YACrB,QAAQ;YACR,QAAQ;YACR,MAAM;YACN,aAAa;YACb,SAAS;YACT,QAAQ;YACR,SAAS;YACT,OAAO;YACP,SAAS;YACT,SAAS;YACT,OAAO;SACV,CAAC;QAEF,MAAM,iBAAiB,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,GAAG,KAChD,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CACtC,CAAC;QAEF,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,KAAK,KAAI;YAC/C,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACrC,IAAI,OAAO,EAAE;AACT,gBAAA,IAAI,YAAY,GAAG,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;;gBAGxC,IAAI,iBAAiB,EAAE;AACnB,oBAAA,YAAY,IAAI,GAAG,CAAC;iBACvB;;AAGD,gBAAA,IAAI,KAAK,KAAK,CAAC,IAAI,iBAAiB,EAAE;;AAElC,oBAAA,YAAY,IAAI,GAAG,CAAC;iBACvB;gBAED,IAAI,KAAK,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,EAAE;;AAE5B,oBAAA,IACI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;AACxB,wBAAA,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EACjC;wBACE,YAAY,IAAI,GAAG,CAAC;qBACvB;iBACJ;gBAED,KAAK,IAAI,YAAY,CAAC;aACzB;AACL,SAAC,CAAC,CAAC;AAEH,QAAA,OAAO,KAAK,CAAC;KAChB;AAED;;AAEG;AACK,IAAA,wBAAwB,CAAC,KAAa,EAAA;QAC1C,IAAI,eAAe,GAAG,CAAC,CAAC;;QAGxB,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACtD,IAAI,YAAY,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE;AACzC,YAAA,eAAe,IAAI,GAAG,CAAC;SAC1B;;AAGD,QAAA,MAAM,kBAAkB,GAAG;AACvB,YAAA,4BAA4B;AAC5B,YAAA,0BAA0B;AAC1B,YAAA,wBAAwB;AACxB,YAAA,0BAA0B;SAC7B,CAAC;AAEF,QAAA,kBAAkB,CAAC,OAAO,CAAC,CAAC,OAAO,KAAI;AACnC,YAAA,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;gBACrB,eAAe,IAAI,IAAI,CAAC;aAC3B;AACL,SAAC,CAAC,CAAC;;AAGH,QAAA,IAAI,KAAK,CAAC,MAAM,GAAG,EAAE,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE;YACzC,eAAe,IAAI,GAAG,CAAC;SAC1B;;AAGD,QAAA,MAAM,YAAY,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,MAAM,CAAC;AACtD,QAAA,MAAM,YAAY,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,MAAM,CAAC;AACtD,QAAA,IAAI,YAAY,GAAG,CAAC,KAAK,CAAC,IAAI,YAAY,GAAG,CAAC,KAAK,CAAC,EAAE;YAClD,eAAe,IAAI,GAAG,CAAC;SAC1B;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;KACzC;AAED;;AAEG;AACH,IAAA,aAAa,CAAC,KAAa,EAAA;AACvB,QAAA,IAAI,CAAC,KAAK;AAAE,YAAA,OAAO,KAAK,CAAC;QAEzB,IAAI,SAAS,GAAG,KAAK,CAAC;;QAGtB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QACjD,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;;QAGlD,MAAM,gBAAgB,GAAG,yCAAyC,CAAC;QACnE,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;;QAGxD,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;;QAGjD,SAAS,GAAG,SAAS,CAAC,OAAO,CACzB,+DAA+D,EAC/D,KAAK,CACR,CAAC;AAEF,QAAA,OAAO,SAAS,CAAC,IAAI,EAAE,CAAC;KAC3B;AAED;;AAEG;AACH,IAAA,mBAAmB,CACf,KAAa,EACb,gBAAA,GAA4B,KAAK,EAAA;QAEjC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAElC,QAAA,IAAI,MAAM,CAAC,WAAW,IAAI,gBAAgB,EAAE;AACxC,YAAA,MAAM,IAAI,KAAK,CACX,CAA+C,4CAAA,EAAA,CAC3C,MAAM,CAAC,UAAU,GAAG,GAAG,EACzB,OAAO,CAAC,CAAC,CAAC,CAAK,GAAA,CAAA;gBACb,CAAa,UAAA,EAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAE,CAAA,CACxD,CAAC;SACL;AAED,QAAA,OAAO,MAAM,CAAC,cAAc,IAAI,EAAE,CAAC;KACtC;AAED;;AAEG;IACH,wBAAwB,CACpB,KAAa,EACb,MAAa,EAAA;;QAGb,IAAI,kBAAkB,GAAG,KAAK,CAAC;QAC/B,MAAM,UAAU,GAAU,EAAE,CAAC;QAE7B,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,KAAK,KAAI;AAC5B,YAAA,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;gBAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAClC,gBAAA,IAAI,MAAM,CAAC,WAAW,EAAE;AACpB,oBAAA,MAAM,IAAI,KAAK,CACX,aAAa,KAAK,CAAA,iCAAA,CAAmC,CACxD,CAAC;iBACL;AACD,gBAAA,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;aAC1C;iBAAM;AACH,gBAAA,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;aAC1B;AACL,SAAC,CAAC,CAAC;QAEH,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;KAC5D;AAEO,IAAA,sBAAsB,CAAC,KAAa,EAAA;AACxC,QAAA,MAAM,KAAK,GAAG;YACV,qBAAqB;YACrB,qBAAqB;YACrB,wBAAwB;YACxB,qBAAqB;YACrB,sBAAsB;YACtB,qBAAqB;YACrB,8BAA8B;YAC9B,kBAAkB;YAClB,sBAAsB;YACtB,uBAAuB;YACvB,0BAA0B;YAC1B,oBAAoB;YACpB,uBAAuB;YACvB,uBAAuB;YACvB,sBAAsB;SACzB,CAAC;QACF,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAqB,kBAAA,EAAA,KAAK,EAAE,CAAC;KACvD;AAEO,IAAA,wBAAwB,CAAC,KAAa,EAAA;;AAE1C,QAAA,MAAM,OAAO,GAAG;AACZ,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;AACH,YAAA,GAAG;SACN,CAAC;AACF,QAAA,OAAO,OAAO,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC;KAChC;IAEO,UAAU,CAAC,KAAa,EAAE,MAAuB,EAAA;AACrD,QAAA,OAAO,CAAC,IAAI,CAAC,CAAA,+BAAA,CAAiC,EAAE;AAC5C,YAAA,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,GAAG,KAAK,GAAG,EAAE,CAAC;YAClE,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,gBAAgB;AACpC,SAAA,CAAC,CAAC;KACN;AAED;;AAEG;AACH,IAAA,YAAY,CAAC,SAAsC,EAAA;AAC/C,QAAA,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;KAClD;AAED;;AAEG;IACH,SAAS,GAAA;AACL,QAAA,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;KAC7B;AACJ;;;;"}

package/dist/cjs/src/middleware/built-in/security/XXEProtector.js

@@ -0,0 +1,175 @@
+'use strict';
+
+/**
+ * XXE (XML External Entity) Protection Module
+ *
+ * Detects and prevents XXE attacks in XML parsing
+ * Uses libxmljs2 for secure XML parsing
+ */
+class XXEProtector {
+    constructor(config = {}) {
+        // Dangerous XXE patterns
+        this.dangerousPatterns = [
+            // External entity declarations
+            /<!ENTITY\s+\w+\s+SYSTEM\s+/gi,
+            /<!ENTITY\s+\w+\s+PUBLIC\s+/gi,
+            // Parameter entities
+            /<!ENTITY\s+%\s+\w+/gi,
+            // External DTD
+            /<!DOCTYPE\s+\w+\s+SYSTEM\s+/gi,
+            /<!DOCTYPE\s+\w+\s+PUBLIC\s+/gi,
+            // File protocol
+            /SYSTEM\s+["']file:\/\//gi,
+            // HTTP/HTTPS external resources
+            /SYSTEM\s+["'](https?|ftp):\/\//gi,
+            // PHP wrappers (common in XXE)
+            /php:\/\//gi,
+            /expect:\/\//gi,
+            // Data URIs
+            /data:\/\//gi,
+        ];
+        this.config = {
+            enabled: config.enabled ?? true,
+            strictMode: config.strictMode ?? true,
+            logAttempts: config.logAttempts ?? true,
+            blockOnDetection: config.blockOnDetection ?? true,
+            falsePositiveThreshold: config.falsePositiveThreshold ?? 0.5,
+            customPatterns: config.customPatterns ?? [],
+            allowDTD: config.allowDTD ?? false,
+            allowExternalEntities: config.allowExternalEntities ?? false,
+            maxEntityExpansions: config.maxEntityExpansions ?? 0,
+        };
+    }
+    /**
+     * Detect XXE attempts in XML content
+     */
+    detect(xmlContent) {
+        if (!xmlContent || typeof xmlContent !== 'string') {
+            return {
+                isMalicious: false,
+                confidence: 0,
+                detectedPatterns: [],
+                riskLevel: 'LOW',
+            };
+        }
+        const result = {
+            isMalicious: false,
+            confidence: 0,
+            detectedPatterns: [],
+            sanitizedInput: xmlContent,
+            riskLevel: 'LOW',
+        };
+        // Check for dangerous patterns
+        let riskScore = 0;
+        this.dangerousPatterns.forEach((pattern, index) => {
+            const matches = xmlContent.match(pattern);
+            if (matches) {
+                const patternName = this.getPatternName(index);
+                result.detectedPatterns.push(`${patternName}: ${matches.length} occurrence(s)`);
+                riskScore += 0.7;
+            }
+        });
+        // Check for DTD if not allowed
+        if (!this.config.allowDTD && /<!DOCTYPE/gi.test(xmlContent)) {
+            result.detectedPatterns.push('DTD declaration (not allowed)');
+            riskScore += 0.5;
+        }
+        // Check for entity declarations
+        if (!this.config.allowExternalEntities && /<!ENTITY/gi.test(xmlContent)) {
+            result.detectedPatterns.push('Entity declaration (not allowed)');
+            riskScore += 0.6;
+        }
+        // Calculate confidence
+        result.confidence = Math.min(riskScore, 1.0);
+        // Determine risk level
+        if (result.confidence >= 0.8) {
+            result.riskLevel = 'CRITICAL';
+            result.isMalicious = true;
+        }
+        else if (result.confidence >= this.config.falsePositiveThreshold) {
+            result.riskLevel = 'HIGH';
+            result.isMalicious = true;
+        }
+        else if (result.confidence >= 0.3) {
+            result.riskLevel = 'MEDIUM';
+            result.isMalicious = this.config.strictMode;
+        }
+        // Sanitize XML
+        if (result.confidence >= 0.3) {
+            result.sanitizedInput = this.sanitizeXML(xmlContent);
+        }
+        // Log attempts
+        if (this.config.logAttempts && result.confidence >= 0.5) {
+            this.logAttempt(result);
+        }
+        return result;
+    }
+    /**
+     * Sanitize XML by removing dangerous constructs
+     */
+    sanitizeXML(xml) {
+        let sanitized = xml;
+        // Remove DOCTYPE declarations
+        sanitized = sanitized.replace(/<!DOCTYPE[^>]*>/gi, '');
+        // Remove ENTITY declarations
+        sanitized = sanitized.replace(/<!ENTITY[^>]*>/gi, '');
+        // Remove SYSTEM references
+        sanitized = sanitized.replace(/SYSTEM\s+["'][^"']*["']/gi, '');
+        // Remove PUBLIC references
+        sanitized = sanitized.replace(/PUBLIC\s+["'][^"']*["']/gi, '');
+        return sanitized;
+    }
+    /**
+     * Safe XML parsing helper (returns parsed object or null)
+     * Note: In production, use a library like 'libxmljs2' with secure defaults
+     */
+    safeParseXML(xmlContent) {
+        const detection = this.detect(xmlContent);
+        if (detection.isMalicious) {
+            if (this.config.blockOnDetection) {
+                throw new Error(`XXE attack detected: ${detection.detectedPatterns.join(', ')}`);
+            }
+            return null;
+        }
+        // In production, use a secure XML parser here
+        // Example with libxmljs2:
+        // const libxmljs = require('libxmljs2');
+        // return libxmljs.parseXml(detection.sanitizedInput, {
+        //     noent: false,  // Disable entity substitution
+        //     dtdload: false, // Disable DTD loading
+        //     dtdvalid: false, // Disable DTD validation
+        //     nonet: true,    // Disable network access
+        // });
+        return { warning: 'Use a secure XML parser library in production' };
+    }
+    getPatternName(index) {
+        const names = [
+            'External SYSTEM entity',
+            'External PUBLIC entity',
+            'Parameter entity',
+            'DOCTYPE SYSTEM',
+            'DOCTYPE PUBLIC',
+            'File protocol',
+            'HTTP/HTTPS external resource',
+            'PHP wrapper',
+            'Data URI',
+        ];
+        return names[index] || `Pattern ${index}`;
+    }
+    logAttempt(result) {
+        console.warn('[XXE] Attack detected:', {
+            timestamp: new Date().toISOString(),
+            confidence: result.confidence,
+            patterns: result.detectedPatterns,
+        });
+    }
+    updateConfig(newConfig) {
+        this.config = { ...this.config, ...newConfig };
+    }
+    getConfig() {
+        return { ...this.config };
+    }
+}
+
+module.exports = XXEProtector;
+//# sourceMappingURL=XXEProtector.js.map

package/dist/cjs/src/middleware/built-in/security/XXEProtector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"XXEProtector.js","sources":["../../../../../../src/middleware/built-in/security/XXEProtector.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAAA;;;;;AAKG;AAUH,MAAM,YAAY,CAAA;AA8Bd,IAAA,WAAA,CAAY,SAAoB,EAAE,EAAA;;AA1BjB,QAAA,IAAA,CAAA,iBAAiB,GAAG;;YAEjC,8BAA8B;YAC9B,8BAA8B;;YAG9B,sBAAsB;;YAGtB,+BAA+B;YAC/B,+BAA+B;;YAG/B,0BAA0B;;YAG1B,kCAAkC;;YAGlC,YAAY;YACZ,eAAe;;YAGf,aAAa;SAChB,CAAC;QAGE,IAAI,CAAC,MAAM,GAAG;AACV,YAAA,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,IAAI;AAC/B,YAAA,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,IAAI;AACrC,YAAA,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,IAAI;AACvC,YAAA,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,IAAI;AACjD,YAAA,sBAAsB,EAAE,MAAM,CAAC,sBAAsB,IAAI,GAAG;AAC5D,YAAA,cAAc,EAAE,MAAM,CAAC,cAAc,IAAI,EAAE;AAC3C,YAAA,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;AAClC,YAAA,qBAAqB,EAAE,MAAM,CAAC,qBAAqB,IAAI,KAAK;AAC5D,YAAA,mBAAmB,EAAE,MAAM,CAAC,mBAAmB,IAAI,CAAC;SACvD,CAAC;KACL;AAED;;AAEG;AACH,IAAA,MAAM,CAAC,UAAqC,EAAA;QACxC,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE;YAC/C,OAAO;AACH,gBAAA,WAAW,EAAE,KAAK;AAClB,gBAAA,UAAU,EAAE,CAAC;AACb,gBAAA,gBAAgB,EAAE,EAAE;AACpB,gBAAA,SAAS,EAAE,KAAK;aACnB,CAAC;SACL;AAED,QAAA,MAAM,MAAM,GAA4B;AACpC,YAAA,WAAW,EAAE,KAAK;AAClB,YAAA,UAAU,EAAE,CAAC;AACb,YAAA,gBAAgB,EAAE,EAAE;AACpB,YAAA,cAAc,EAAE,UAAU;AAC1B,YAAA,SAAS,EAAE,KAAK;SACnB,CAAC;;QAGF,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,KAAK,KAAI;YAC9C,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC1C,IAAI,OAAO,EAAE;gBACT,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;AAC/C,gBAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAA,EAAG,WAAW,CAAA,EAAA,EAAK,OAAO,CAAC,MAAM,CAAA,cAAA,CAAgB,CAAC,CAAC;gBAChF,SAAS,IAAI,GAAG,CAAC;aACpB;AACL,SAAC,CAAC,CAAC;;AAGH,QAAA,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,IAAI,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;AACzD,YAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;YAC9D,SAAS,IAAI,GAAG,CAAC;SACpB;;AAGD,QAAA,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,qBAAqB,IAAI,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;AACrE,YAAA,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;YACjE,SAAS,IAAI,GAAG,CAAC;SACpB;;QAGD,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;;AAG7C,QAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AAC1B,YAAA,MAAM,CAAC,SAAS,GAAG,UAAU,CAAC;AAC9B,YAAA,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;SAC7B;aAAM,IAAI,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE;AAChE,YAAA,MAAM,CAAC,SAAS,GAAG,MAAM,CAAC;AAC1B,YAAA,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC;SAC7B;AAAM,aAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AACjC,YAAA,MAAM,CAAC,SAAS,GAAG,QAAQ,CAAC;YAC5B,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;SAC/C;;AAGD,QAAA,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;YAC1B,MAAM,CAAC,cAAc,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;SACxD;;AAGD,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,UAAU,IAAI,GAAG,EAAE;AACrD,YAAA,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;SAC3B;AAED,QAAA,OAAO,MAAM,CAAC;KACjB;AAED;;AAEG;AACK,IAAA,WAAW,CAAC,GAAW,EAAA;QAC3B,IAAI,SAAS,GAAG,GAAG,CAAC;;QAGpB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC;;QAGvD,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;;QAGtD,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC,CAAC;;QAG/D,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,2BAA2B,EAAE,EAAE,CAAC,CAAC;AAE/D,QAAA,OAAO,SAAS,CAAC;KACpB;AAED;;;AAGG;AACH,IAAA,YAAY,CAAC,UAAkB,EAAA;QAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;AAE1C,QAAA,IAAI,SAAS,CAAC,WAAW,EAAE;AACvB,YAAA,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE;AAC9B,gBAAA,MAAM,IAAI,KAAK,CAAC,CAAA,qBAAA,EAAwB,SAAS,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA,CAAE,CAAC,CAAC;aACpF;AACD,YAAA,OAAO,IAAI,CAAC;SACf;;;;;;;;;;AAYD,QAAA,OAAO,EAAE,OAAO,EAAE,+CAA+C,EAAE,CAAC;KACvE;AAEO,IAAA,cAAc,CAAC,KAAa,EAAA;AAChC,QAAA,MAAM,KAAK,GAAG;YACV,wBAAwB;YACxB,wBAAwB;YACxB,kBAAkB;YAClB,gBAAgB;YAChB,gBAAgB;YAChB,eAAe;YACf,8BAA8B;YAC9B,aAAa;YACb,UAAU;SACb,CAAC;QACF,OAAO,KAAK,CAAC,KAAK,CAAC,IAAI,CAAW,QAAA,EAAA,KAAK,EAAE,CAAC;KAC7C;AAEO,IAAA,UAAU,CAAC,MAA+B,EAAA;AAC9C,QAAA,OAAO,CAAC,IAAI,CAAC,wBAAwB,EAAE;AACnC,YAAA,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,QAAQ,EAAE,MAAM,CAAC,gBAAgB;AACpC,SAAA,CAAC,CAAC;KACN;AAED,IAAA,YAAY,CAAC,SAA6B,EAAA;AACtC,QAAA,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;KAClD;IAED,SAAS,GAAA;AACL,QAAA,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;KAC7B;AACJ;;;;"}